Security

The politics of phishing


In early October of this year, Indiana University graduate student Christopher Soghoian gave a presentation in Washington, DC about the potential risks of online political contributions. While I wasn't able to attend the presentation (I was about 1,500 miles away from DC at the time), the subject is an interesting one at first glance. Soghoian's claim is that online political contribution channels provide a brand new means of defrauding Americans.

In the words of the above-linked Wired article:

The presidential campaigns' tactic of relying on impulsive giving spurred by controversial news events and hyped-up deadlines, combined with a number of other factors such as inconsistent Web addresses and a muddle of payment mechanisms creates a conducive environment for fraud, says Soghoian.

One wonders what behavior in particular Soghoian observed that prompted him to address the matter. In some respects, it seems he might be reacting to the pledge drives for Republican candidate Ron Paul, a dark horse candidate who went from "no chance in the world" to "largest single day of campaign contributions before the primaries in history", in part because of such a pledge drive. The Remember the 5th of November donation drive netted him more than four million dollars of donations in a single day.

There are of course other candidates attempting to achieve similar results. They tend to differ from the Ron Paul effort in a number of ways, however:

  1. They aren't generally grass-roots efforts. Most pledge drives for other candidates are organized with the official sanction and aid of the respective campaigns themselves, whereas the Ron Paul funding drive was organized as a grass-roots effort. There's another such effort gearing up for December 16th, too, apparently affiliated with the same people who got the November 5th effort going.
  2. They have not, at least so far, been as successful in terms of the money gathered or the sheer number of contributors.
  3. Nobody seems to care.

As such, it seems reasonable to assume the target of Soghoian's concerns is the Ron Paul campaign.

Again, from the Wired article:

Fraudsters could easily send out e-mails and establish Web sites that mimic the official campaigns' sites and similarly send out such e-mails that would encourage people to "donate" money without checking for the authenticity of the site.

In other words, Soghoian's concern is that irresponsible behavior on the part of candidates' campaigns may teach people to be irresponsible with their own financial security. Soghoian claims that impulsive behavior -- akin to the "impulse buy" items in the supermarket checkout lane -- is being encouraged to get people to open up their virtual wallets and give to Presidential campaigns. The positive result, at least from a Presidential candidate's perspective, is that more money flows into the campaign war chest of the candidate. The negative result, at least according to Soghoian, is that people are being subtly trained to be less careful with their decision-making about credit card use online.

Soghoian would have us believe that this somehow constitutes a new threat to the financial security of US citizens. The truth of the matter is that this is not a new threat at all, as Bruce Schneier pointed out. In Schneier's words:

Fake charities and political organizations have long been problems. When you get a solicitation in the mail for "Concerned Citizens for a More Perfect Country" -- insert whatever personal definition you have for "more perfect" and "country" -- you don't know if the money is going to your cause or into someone's pocket. When you give money on the street to someone soliciting contributions for this cause or that one, you have no idea what will happen to the money at the end of the day.

The problems here, as "SteveJ" (one of Schneier's commenters) pointed out, are twofold:

Of course there are two different issues here: trust and identity.

Creating a false charity/campaign, which doesn't really do what it claims with donated money (trust), isn't quite the same thing as posing as a particular charity/campaign and pocketing the donations (identity).

This is a matter of authentication, put quite simply. Somehow, the place where you're donating the money must be authenticated to the satisfaction of the individual being exhorted to donate. We, as active members of US politics, must serve as individual authentication systems to ensure that any donations we give are being given to "the right person" -- both in terms of believing what the candidates say and in terms of making sure that the site you're using for your donation is actually going to put the money into your favorite candidate's campaign.

Soghoian's solution is to centralize and certify all campaign contribution management with specific corporate organizations serving as clearinghouses. The specific examples cited by Soghoian and Markus Jakobsson, co-author of a whitepaper on the subject, are Paypal and Google.

Ultimately, if you're paying attention enough to consider Google or Paypal to be more trustworthy than some candidate campaign Website, you're paying enough attention to be able to make some determinations of your own about who or what is trustworthy enough to send money. The difference is, at most, negligible. This also does not particularly protect you against the specific concerns Soghoian brought up for a number of reasons:

  1. If you are directed to a donation page from a Website designed to look like the campaign's official site, that site can be spoofed no less easily if it's at http://checkout.google.com than if it's at http://ronpaul2008.com -- the same techniques for phishers apply.
  2. The high-pressure marketing tactics of many pledge drives will not be changed by where the actual donation link leads, and neither will a change in link destination change the potential negative effects those tactics might have on the security awareness of their target demographics.
  3. Centralizing the management of all Presidential campaign donations creates a single target on which phishers and other malicious security crackers can focus, and success may bring them far greater rewards. Why settle for redirecting the donation activities for a single candidate when you can target them all simultaneously?
  4. A conspiracy theorist might accuse Soghoian of trying to sideline any less well-known candidates who are less likely to be able to get into Google or Paypal donation clearinghouses. Even though that is probably not his intent, it is a more likely outcome of such a centralization of management than generally improved donation security.

Finally, I doubt many campaigns will even consider such an idea, except as an auxiliary source of campaign contribution revenue that is secondary to the on-site "official" donation channel. After all, in politics -- as in most of the rest of the world of online financial transactions -- going through a third party to handle your financial transactions is viewed by many as a sign of a lack of professionalism.

Having to direct would-be contributors via someone else's logo is perceived by some as indicative of the notion that you might not be able to handle the important matters of your campaign yourself, and while that is an obviously silly assumption for those of us who understand something about the IT industry, it is a no less common assumption. Even worse, though, is the fact that linking to Google or Paypal from the campaign website for handling all official donations is indivisible in many estimations from endorsement of those corporations, and such apparently direct endorsements can rarely be afforded by political campaigns.

To wrap this all up, I'll provide you with some quick hints on how to judge whether you are donating to the genuine article:

  1. Never donate to any Website other than the official campaign site. While there may be safe alternate channels for online donations, your best bet is always the official campaign Website.
  2. Never click on a link from a third-party pledge drive Website. Take a direct route to the campaign website, perhaps by checking the URL to which the link directs you and typing it into the address bar of your Web browser yourself. This will help you avoid spoofed sites.
  3. Do not copy the URL from a third-party site and paste it into the browser's address bar: actually type it. Use of Unicode characters to spoof the URLs of legitimate websites is something you want to be able to circumvent.
  4. Do some research via a search engine to ensure that the apparent official campaign site URL you are using is in fact the genuine article, and not a fly-by-night fake. For instance, http://johnedwards.com is the URL for the official John Edwards Presidential campaign Website, but http://johnedwardsforpresident.com and http://johnedwards2008.com are (as of this writing) still available. Either one might conceivably be used as a temporary landing area for misdirected would-be campaign contributors.
  5. Only contribute via campaign Websites that provide encrypted access for the transaction, and assess the security of the donation process yourself as far as possible before committing to a donation. If your candidate of choice does not provide adequate security, contact a campaign representative and inform them of your concerns. Then, either contribute offline or wait until the problems with online contribution security are fixed. You don't want your bank account to be cleaned out by malicious security crackers just to give your favorite candidate $100, I'm sure. Losing $10,000 of your hard-earned money is probably an unacceptable outcome for you, especially when you cannot be guaranteed that even that $100 donation will get through to the candidate's campaign if security is not sufficient to protect the contribution transaction.
  6. Vote your conscience, not your fears.

Granted, that last point has nothing to do with online financial security, at least in any direct sense. The rest, however, will serve you well in ensuring that your online campaign contributions are safe and end up in the hands of the people to whom you intended to donate them.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

7 comments
ejhonda
ejhonda

This article seemed to have a point at first, but then... I only wish there were a 'thumbs down' icon to click on for this. The security angle is tenuous, at best. The rest of it seems to be marketing and political - both of which don't belong on here. What little that pertains to security could have been wrapped up in a third of the space taken up. Another clunker for IT Security.

apotheon
apotheon

"[i]This article seemed to have a point at first[/i]" I guess the fact that it closed with a list of good habits for maintaining security of your financial information doesn't satisfy you, then. "[i]The security angle is tenuous, at best.[/i]" As far as I'm concerned, it's as important to be aware of fallacious thinking in security relating to pointless alarmism as it is to be aware of genuine security threats. That's why much of the article addresses Chris Soghoian's security alarmism. Do you consider the connection of such a treatment of pointless alarmism to security to be "tenuous at best"? "[i]The rest of it seems to be marketing and political[/i]" Marketing for what? To which political statement do you object? I've read it over several times and still don't see where a clear political statement was actually made -- unless you object to the line about voting your conscience rather than your fears. Is that your problem? "[i]What little that pertains to security could have been wrapped up in a third of the space taken up.[/i]" Considering the list of good security habits at the end, with its minimal surrounding context, would add up to about a third of the article, I might guess that's the part you think should be kept. Of course, considering you said the article seemed to have a point only "at first", I guess that part can't be the part you'd keep. As such, I'm at a loss. I don't know what parts you'd want to keep and what parts you'd want to eliminate.

debohun
debohun

The Ron Paul campaign is the most financially transparent champaign is the history of politics. Donations are available for public review in near real time, with detailed analysis available publicly to both friend and foe. This level of openness is most certainly threatening to the smokey back-room status quo of traditional American politics, and would explain the growing smear efforts against Ron Paul, who is by all accounts as much of a "boy scout" as can be found these days. His supporters' fundraising efforts have been similarly open. While Christopher Soghoian's concerns regarding privacy and financial fraud are valid in general, his concerns regarding the Paul campaign are either politically motivated or simply misinformed.

LubahnD
LubahnD

This is all quite timely with the announcement of the NEW rudysreadinglist.com money bomb TODAY for 11/30 supposedly to get more money for Ron Paul earlier than December 16 so the campaing can buy ads before the primaries. Why do a money bomb at all earlier? Just donate BOTH TODAY AND get the bang for the buck needed when donating on Dec 16 Tea Party for Ron Paul which will generate lots of PR. A smaller than $4 million on 11/30 or on 12/16 will not get us lots of press. Anyway just give money as you can, when you can. Go Ron Paul!

veritas2103
veritas2103

Hopefully your article will help increase the donations to Dr. Paul and make voters think twice about donating online to other candidates. Don't forget Ron Paul is the only candidate transparent with contributions on his website.

apotheon
apotheon

"[i]Don't forget Ron Paul is the only candidate transparent with contributions on his website.[/i]" While I have not verified he is the [b]only[/b] (notable) candidate offering reasonable contribution transparency, I do know that the level of transparency provided by the Ron Paul campaign is quite refreshing in upper-tier US politics. Such transparency is, in fact, a good principle to learn for IT security, as well as for politics. Regardless of whether you favor Ron Paul, John Edwards, or even [url=http://www.cthulhu.org/]Cthulhu for Presdent[/url] (why vote for the lesser evil?), the security matters raised in the article are the main point. Hopefully everyone learns something (or already knew it) about how to safely and responsibly contribute to a Presidential campaign, rather than just latching onto political candidates. Thanks for the comments, veritas2103.

Dr Dij
Dr Dij

If he makes true on his promise to eliminate the Fed Reserve bank. Since 1999, they have increase the money supply to such an extent that your money / salary are worth 50% less than they were in 2000. Masked only by cheap foreign goods and increasing efficiencies in manufacturing that have slowed the apparent inflation.